Two-Factor Authentication for a tomcat java web application

1
votes

I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.

I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.

Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.

Thanks in advance.

1
javaauthenticationtomcatweb-applicationstwo-factor-authentication
Hello! Welcome to SO. In order to get answers, you should probably include in your question some code illustrating what you tried, and output showing what went wrong and at which point.deqyra
I would have included it, but there is no error in the implementation. I was asking for a suggestion for implementing the 2FA. Thanks for your time.Aravindh balaji

1 Answers

1
votes

Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.

So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.

If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.